Auditing - A Built-in Feature of SharePoint

In this article we can explore the Audit feature of SharePoint 2010. This is a built-in feature and provides a great amount of flexibility for Administrators & Developers.

What is Auditing in SharePoint?

Auditing involves Activity Tracking inside the SharePoint environment. The auditing reports generated can be used by Administrators or Managers to determine the usage of SharePoint resources.

By enabling Auditing we can track activities like:

  • List Access
  • Library Access
  • Opening of Documents
  • Editing Items
  • Check In / Check Out
  • Copying / Moving / Deleting items
  • Searching
  • Editing Permissions

The following is a sample of how a detailed audit report looks:

AdtShr1.gif

Under the hood, SharePoint uses events and a SQL Server table to retrieve & save the audit entries. The following are the topics we are discussing in this article:

  • Enable Audit
  • View Audit Entries
  • Custom Report
  • Server Object Models
  • Audit Event Types
  • Writing custom Audit entries

Enable Audit

We can enable audit for a site collection from the Site Settings > Audit Settings link.

AdtShr2.gif

From the Configure Audit Settings page that is opened specify the events to be audited.

AdtShr3.gif

Once you have enabled auditing you can go ahead and try accessing/modifying existing list/library items. These activities should be triggering the Audit entry creation.

Note: Please note that in real-world scenarios you should only enable the events required. Too many event auditing queues more work to the server and can degrade the performance.

View Audit Entries

Now we can proceed to view the audit entries just created. You can use the Audit log reports from the Site Settings page, as in:

AdtShr4.gif

In the page that appears, View Auditing Reports, you will see there are various categories of reports like:

  • Content Modification
  • Content Viewing
  • Deletion
  • Policy Modification etc.

Click on the Content Viewing since this time we are interested in only Viewing reports. In the dialog that appears enter the document library to save the report to. Click Ok to generate the report. (The report is a document and hence a document library is required to save it.)

AdtShr5.gif

Click on the Click here to view report link to view the report. It should open in an XLSX document. There are 2 tabs on the XLSX file – summary and detailed.

Custom Report

Now we can try using the Custom Report generation. This options is useful when we need to get a report based on / or a combination of:

  • Custom List
  • Particular user
  • Date Range

Please note that under the hood SharePoint has saved all the event records. The custom report will be filtering the records based on the user selection.

To generate the custom report, go to Site Settings > Audit log reports > Run a custom report

AdtShr6.gif

You should get the following page with filtering options:

AdtShr7.gif

You can choose the Save Location, List, Dates, Users, and Events and click the OK button to generate the report as XLSX file.

AdtShr8.gif

Server Object Models

The good thing is that we can use Server Object Model to interact with Audit. the following are some of the important audit classes inside the Microsoft.SharePoint namespace:

  • SPAudit
  • SPAuditEntry
  • SPAuditEventType
  • SPAuditQuery

SPAudit

SPAudit is the main class which can be used to access the audit settings for the associated object. The server object models like SPSite, SPWeb, SPList, SPDocumentLibrary contains a property named Audit which represents the underlying SPAudit settings.

The SPAudit class contains methods for the following operations:

  • GetAuditEntries() to get the audit entries
  • Update() to update modifications to audit settings

The following is the code to get audit entries:

private void GetAuditEntriesButton_Click(object sender, EventArgs e)

{

    SPSite site = new SPSite("http://localhost");

 

    SPAudit audit = site.Audit;

 

    var collection = audit.GetEntries();

}


The following is the code to update audit settings for the site:

private void UpdateButton_Click(object sender, EventArgs e)

{

    SPSite site = new SPSite("http://localhost");

 

    SPAudit audit = site.Audit;

 

    audit.AuditFlags = SPAuditMaskType.None;

 

    audit.Update();

}

The above code clears all Audit Events by setting the AuditFlags property to None. After executing the code you can revisit the Site Collection Audit Settings to see that all the events are unchecked.

Note: You can use the SPAudit class to update audit settings across multiple site collections in one shot. Plus you can automate clearing the audit entries using the DeleteEntries() method.

SPAuditEventType

This enumeration SPAuditEventType is needed to specify the event type of the audit entry. The enumeration contains the following members:
 

public enum SPAuditEventType

{

    AuditMaskChange = 14,

    CheckIn = 2,

    CheckOut = 1,

    ChildDelete = 7,

    ChildMove = 0x10,

    Copy = 12,

    Custom = 100,

    Delete = 4,

    EventsDeleted = 50,

    FileFragmentWrite = 0x11,

    Move = 13,

    ProfileChange = 6,

    SchemaChange = 8,

    Search = 15,

    SecGroupCreate = 30,

    SecGroupDelete = 0x1f,

    SecGroupMemberAdd = 0x20,

    SecGroupMemberDel = 0x21,

    SecRoleBindBreakInherit = 40,

    SecRoleBindInherit = 0x27,

    SecRoleBindUpdate = 0x26,

    SecRoleDefBreakInherit = 0x25,

    SecRoleDefCreate = 0x22,

    SecRoleDefDelete = 0x23,

    SecRoleDefModify = 0x24,

    Undelete = 10,

    Update = 5,

    View = 3,

    Workflow = 11

}


SPAuditQuery

SPAuditQuery represents the class to do filtered fetching of audit entries. It provides the following methods and properties:

AdtShr9.gif

You can see that the methods are similar to the options available in the custom report generation page. The sample code using SPAuditQuery is included in the attached source.

Writing custom Audit entries

Occasionally we needed to write custom audit information for a SharePoint solution. In this case we can reuse the Audit Server Object Model mechanism to do that.
The following is the code that writes to the Audit entry:
 

private void WriteAuditEvent_Click(object sender, EventArgs e)

{

    SPSite site = new SPSite("http://localhost");

 

    SPAudit audit = site.Audit;

 

    audit.WriteAuditEvent(SPAuditEventType.Custom, "MySource", "<xml/>");

}

After execution you will see the new entry through invocation of the GetAuditEntries() method. You can use the associated application to view it.

AdtShr10.gif

Remark on Database Usage

The audit entries are stored inside the SharePoint database. You can view this database inside the SharePoint SQL Server instance. The table storing the Audit records is AuditData. For inserting your own records into the table it is recommended to use the Server Object Model.

References

SharePoint 2010 Audit Configuration
SharePoint 2010 View Audit Log Reports


Summary

In this article we have explored the Audit feature of SharePoint. I believe now you will agree that it is a good feature that saves lot of our time otherwise would have invested in writing events and persisting code.

The associated code contains the examples we have discussed.